Fix SSL session resumption with ClientAuth.OPTIONAL and add tests with session tickets #14404
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: It's a valid configuration to enable session tickets with TLSv1.2, and doing so makes a meaningful change to the SSLEngine behavior that we need to test for. Modification: - Collect the OpenSSL parameterization code for SSLEngineTest. - Add tickets being enabled or not as a parameter. - Fix a test that did not anticipate the session ticket behavior. Result: We now have test coverage with TLSv1.2 session tickets.
Motivation: If TLS is `OPTIONAL` then there won't always be a verified peer. This means there will be no calls on the server `TrustManager` to check if the client is trusted. That makes it look like a resumed session to the resumption controller. But there won't be any verified peer on the session, and trying to get the peer certificates will throw an exception. Modification: - Make the `ResumptionController` consider if the engine is in client mode, or if it requires client authentication, and only propagate `SSLPeerUnverifiedException` if so. - Make the `ResumptionController` swallow the `SSLPeerUnverifiedException` when client auth is OPTIONAL or NONE. - Add a test for this scenario. Result: The `ResumableX509ExtendedTrustManager` interface can now be used together with `ClientAuth.OPTIONAL`.
3c6b8bf to
12d973b
Compare
12d973b to
4ce9964
Compare
This reverts commit 4ce9964.
|
The extra testing makes the builds slower, particularly the BoringSSL builds, but that should be more than compensated for by #14405 |
Scottmitch
reviewed
Oct 21, 2024
|
|
||
| SSLSession session = engine.getSession(); | ||
| boolean valid = session.isValid(); | ||
| if (valid && (engine.getUseClientMode() || engine.getNeedClientAuth() || engine.getWantClientAuth()) && |
There was a problem hiding this comment.
can you add a comment clarifying the goal of this conditional?
getUseClientMode -> I assume this is to cover the case of "always do this on the client"
getNeedClientAuth || getWantClientAuth -> isn't the default treated by some engines as "want"? for example iirc openssl flavors will have the server request the client's certificate but if they don't return one it will succeed. so I'm just trying to understand if client/server need to be consistent and if not, why.
There was a problem hiding this comment.
@Scottmitch I've added comments explaining the logic. Please take a look.
Scottmitch
approved these changes
Oct 21, 2024
chrisvest
added a commit
that referenced
this pull request
Oct 22, 2024
…h session tickets (#14404) Motivation: If TLS is `OPTIONAL` then there won't always be a verified peer. This means there will be no calls on the server `TrustManager` to check if the client is trusted. That makes it look like a resumed session to the resumption controller. But there won't be any verified peer on the session, and trying to get the peer certificates will throw an exception. It's also a valid configuration to enable session tickets with TLSv1.2, and doing so makes a meaningful change to the `SSLEngine` behavior that we need to test for. Modification: - Collect the OpenSSL parameterization code for `SSLEngineTest`. - Add tickets being enabled or not as a parameter. - Fix a test that did not anticipate the session ticket behavior. - Make the `ResumptionController` consider if the engine is in client mode, or if it requires client authentication, and only propagate `SSLPeerUnverifiedException` if so. - Make the `ResumptionController` swallow the `SSLPeerUnverifiedException` when client auth is OPTIONAL or NONE. - Add a test for this scenario. Result: We now have test coverage with TLSv1.2 session tickets. The `ResumableX509ExtendedTrustManager` interface can now be used together with `ClientAuth.OPTIONAL`.
chrisvest
added a commit
to chrisvest/netty
that referenced
this pull request
Oct 22, 2024
…h session tickets (netty#14404) Motivation: If TLS is `OPTIONAL` then there won't always be a verified peer. This means there will be no calls on the server `TrustManager` to check if the client is trusted. That makes it look like a resumed session to the resumption controller. But there won't be any verified peer on the session, and trying to get the peer certificates will throw an exception. It's also a valid configuration to enable session tickets with TLSv1.2, and doing so makes a meaningful change to the `SSLEngine` behavior that we need to test for. Modification: - Collect the OpenSSL parameterization code for `SSLEngineTest`. - Add tickets being enabled or not as a parameter. - Fix a test that did not anticipate the session ticket behavior. - Make the `ResumptionController` consider if the engine is in client mode, or if it requires client authentication, and only propagate `SSLPeerUnverifiedException` if so. - Make the `ResumptionController` swallow the `SSLPeerUnverifiedException` when client auth is OPTIONAL or NONE. - Add a test for this scenario. Result: We now have test coverage with TLSv1.2 session tickets. The `ResumableX509ExtendedTrustManager` interface can now be used together with `ClientAuth.OPTIONAL`.
chrisvest
added a commit
that referenced
this pull request
Oct 23, 2024
Motivation: Some trust manager implementations produce custom user principals and store them in the SSLSession. Resumed TLS sessions, however, don't always recover the stored contents. For instance, with TLSv1.3 stateless session resumption, our TLS implementations only store the peer certificate chain (or even just the leaf cert) in the session ticket. In such a case, the trust manager would like to be notified of the resumption, so that the peer principal can be recreated and stored in the session once again. Modification: Add a ResumableX509ExtendedTrustManager interface, with callbacks for resumed client and server sessions. Add infrastructure (the ResumptionController) to detect session resumption in an SSLEngine implementation agnostic way; if a TLS handshake completed without any calls to the TrustManager, then we've made a "stateless resumption" (hand-wave details) and should call the appropriate resume method. The JDK APIs don't provide a method to reliably discern if a session has been resumed, so we instead detect if the trust manager was called during the handshake. We do this by wrapping user-supplied trust managers that implement the ResumableX509ExtendedTrustManager interface. The wrapper will monitor calls to the trust manager and register the relevant SSLEngine in the controller — the engine is the object that the trust manager and the SslHandler both have access to, which reliably identifies the specific TLS session. Before finished the handshake, the SslHandler queries the ResumptionController to see if the trust manager has already been called, or if it needs to be notified of resumption. Since it's possible that the peer certificates have expired since the initial session, the trust manager gets another change to throw CertificateException. Result: Handlers that expect to find user principals in the authenticated SSLSessions no longer find empty sessions, provided they use a trust manager that correctly implements ResumableX509ExtendedTrustManager. This is a forward port of #14358, #14404, and #14411
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
If TLS is
OPTIONALthen there won't always be a verified peer.This means there will be no calls on the server
TrustManagerto check if the client is trusted.That makes it look like a resumed session to the resumption controller.
But there won't be any verified peer on the session, and trying to get the peer certificates will throw an exception.
It's also a valid configuration to enable session tickets with TLSv1.2, and doing so makes a meaningful change to the
SSLEnginebehavior that we need to test for.Modification:
SSLEngineTest.ResumptionControllerconsider if the engine is in client mode, or if it requires client authentication, and only propagateSSLPeerUnverifiedExceptionif so.ResumptionControllerswallow theSSLPeerUnverifiedExceptionwhen client auth is OPTIONAL or NONE.Result:
We now have test coverage with TLSv1.2 session tickets.
The
ResumableX509ExtendedTrustManagerinterface can now be used together withClientAuth.OPTIONAL.